7.3. Security checklist

This chapter provides a summary of recommendations regarding security in Neo4j.

Below is a simple checklist highlighting the specific areas within Neo4j that may need some extra attention in order to ensure the appropriate level of security for your application.

  1. Deploy Neo4j on safe servers in safe networks:

    1. Use subnets and firewalls.
    2. Only open up for the necessary ports. For a list of relevant ports see Section 3.2, “Ports”.
  2. Protect data-at-rest:

    1. Use volume encryption (e.g. Bitlocker).
    2. Manage access to database dumps (refer to Section 10.3, “Dump and load databases”) and backups (refer to Section 6.2, “Perform a backup”). In particular, ensure that there is no external access to the port specified by the setting dbms.backup.address (this defaults to 6362). Failing to protect this port leaves a security hole open by which an unauthorized user can make a copy of the database onto a different machine.
    3. Manage access to data files and transaction logs. Prohibit all operating system access to Neo4j files except as instructed in Section 3.1.3, “Permissions”.
  3. Protect data-in-transit:

    1. For remote access to the Neo4j database, only open up for encrypted Bolt or HTTPS.
    2. Use SSL certificates issued from a trusted Certificate Authority.

      1. For installing SSL certificates in Neo4j refer to Section 3.7, “Install certificates”.
      2. For configuring your Bolt and/or HTTPS connectors, refer to Section 3.6, “Configure Neo4j connectors”.
      3. If using LDAP, configure your LDAP system with encryption via StartTLS; see the section called “Use LDAP with encryption via StartTLS”.
  4. Be on top of the security for custom extensions:

    1. Validate any custom code that you deploy (procedures and unmanaged extensions) and ensure that they do not expose any parts of the product or data unintentionally.
    2. Survey the settings dbms.security.procedures.unrestricted and dbms.security.procedures.whitelist to ensure that they exclusively contain intentionally exposed extensions.
  5. Ensure the correct file permissions on the Neo4j files. Only the operating system user that Neo4j runs as should have permissions to those files. Refer to Section 3.1.3, “Permissions” for instructions on permission levels. In particular, protect data files, transaction logs and database dumps from unauthorized read access. Protect against the execution of unauthorized extensions by restricting access to the bin, lib, and plugins directories.
  6. If LOAD CSV is enabled, ensure that it does not allow unauthorized users to import data. How to configure LOAD CSV is described in Developer Manual → LOAD CSV.
  7. Do not turn off Neo4j authentication. Refer to Section 7.1.3, “Enabling authentication and authorization” for details on this setting.
  8. Survey your neo4j.conf file (see Section 3.1, “File locations”) for ports relating to deprecated functions (such as neo4j-shell, controlled by the parameter dbms.shell.port) and remote JMX (controlled by the parameter setting dbms.jvm.additional=-Dcom.sun.management.jmxremote.port=3637).
  9. Use the latest patch version of Neo4j.